9f99cfb771
Network daemon patches from Russell Coker.
2017-02-25 11:20:19 -05:00
cb35cd587f
Little misc patches from Russell Coker.
2017-02-18 09:39:01 -05:00
1720e109a3
Sort capabilities permissions from Russell Coker.
2017-02-15 18:47:33 -05:00
69da46ae18
usrmerge FC fixes from Russell Coker.
2017-02-07 18:51:58 -05:00
2e7553db63
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
2017-02-04 15:19:35 -05:00
69ede859e8
Bump module versions for release.
2017-02-04 13:30:53 -05:00
67c435f1fc
Module version bump for fc updates from Nicolas Iooss.
2016-12-28 14:38:05 -05:00
f850ec37df
Module version bumps for /run fc changes from cgzones.
2016-12-22 15:54:46 -05:00
16b7b5573b
Module version bumps for patches from cgzones.
2016-12-04 13:30:54 -05:00
598700325b
allow dhcp_t to domtrans into avahi
...
#============= dhcpc_t ==============
# audit(1459860992.664:6):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="execute_no_trans"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.2.gz:Apr 5 14:56:32 debianSe kernel: [ 4.830761]
# audit: type=1400 audit(1459860992.664:6): avc: denied { execute_no_trans }
# for pid=412 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
# ino=140521 scontext=system_u:system_r:dhcpc_t:s0
# tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1454514879.616:134):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="execute_no_trans"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.5.gz:Feb 3 16:54:39 debianSe kernel: [ 13.237496]
# audit: type=1400 audit(1454514879.616:134): avc: denied { execute_no_trans
# } for pid=464 comm="dhclient-script" path="/usr/sbin/avahi-autoipd"
# dev="sda1" ino=140521 scontext=system_u:system_r:dhcpc_t
# tcontext=system_u:object_r:avahi_exec_t tclass=file permissive=1 "
allow dhcpc_t avahi_exec_t:file execute_no_trans;
# audit(1459860992.660:4):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="execute"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.2.gz:Apr 5 14:56:32 debianSe kernel: [ 4.827312]
# audit: type=1400 audit(1459860992.660:4): avc: denied { execute } for
# pid=412 comm="dhclient-script" name="avahi-autoipd" dev="sda1" ino=140521
# scontext=system_u:system_r:dhcpc_t:s0
# tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1459860992.664:5):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="{ read open }"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.2.gz:Apr 5 14:56:32 debianSe kernel: [ 4.829009]
# audit: type=1400 audit(1459860992.664:5): avc: denied { read open } for
# pid=412 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
# ino=140521 scontext=system_u:system_r:dhcpc_t:s0
# tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1454514879.616:132):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="execute"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.5.gz:Feb 3 16:54:39 debianSe kernel: [ 13.237297]
# audit: type=1400 audit(1454514879.616:132): avc: denied { execute } for
# pid=464 comm="dhclient-script" name="avahi-autoipd" dev="sda1" ino=140521
# scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:avahi_exec_t
# tclass=file permissive=1 "
# audit(1454514879.616:133):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="{ read open }"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.5.gz:Feb 3 16:54:39 debianSe kernel: [ 13.237309]
# audit: type=1400 audit(1454514879.616:133): avc: denied { read open } for
# pid=464 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
# ino=140521 scontext=system_u:system_r:dhcpc_t
# tcontext=system_u:object_r:avahi_exec_t tclass=file permissive=1 "
#!!!! This avc is allowed in the current policy
allow dhcpc_t avahi_exec_t:file { read execute open };
2016-12-04 17:34:11 +01:00
34055cae87
Bump module versions for release.
2016-10-23 16:58:59 -04:00
187019a615
Module version bump for various patches from Guido Trentalancia.
2016-08-14 14:58:57 -04:00
19b84c95b1
Remove redundant libs_read_lib_files() for ifconfig_t.
2016-08-14 14:52:32 -04:00
6caa443d18
Ifconfig should be able to read firmware files in /lib (i.e. some network
...
cards need to load their firmware) and it should not audit attempts
to load kernel modules directly.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-14 14:52:07 -04:00
5481c1cc84
Update the sysnetwork module to add some permissions needed by
...
the dhcp client (another separate patch makes changes to the
ifconfig part).
Create auxiliary interfaces in the ntp module.
The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.
Include revisions from Chris PeBenito.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-14 14:51:42 -04:00
c23353bcd8
Bump module versions for release.
2015-12-08 09:53:02 -05:00
17694adc7b
Module version bump for systemd additions.
2015-10-23 14:53:14 -04:00
579849912d
Add supporting rules for domains tightly-coupled with systemd.
2015-10-23 10:17:46 -04:00
a38c3be208
Module version bump for updated netlink sockets from Stephen Smalley
2015-05-22 08:38:53 -04:00
58b3029576
Update netlink socket classes.
...
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.
Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.
Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed. Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes. For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-22 08:29:03 -04:00
fd0c07c8b3
Module version bump for optional else block removal from Steve Lawrence.
2015-01-12 08:45:58 -05:00
4bd0277313
Remove optional else block for dhcp ping
...
Else blocks with optional statements are not supported in CIL.
Currently, if the pp to CIL compiler comes across one of these in a pp
module, it just drops the block and outputs a warning. Fortunately,
these are very rare. In fact, this is the only place in refpolicy where
an optional else block is used, and it is not clear if it is even
needed. This patch is untested, and is more to spark discussions to see
if there are any thoughts about whether or not this piece of policy is
needed.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2015-01-12 08:44:39 -05:00
468185f5f7
Bump module versions for release.
2014-12-03 13:37:38 -05:00
8a3a8c7e1b
Module version bump for /sbin/iw support from Nicolas Iooss.
2014-10-23 08:51:53 -04:00
0820cfe75d
Add comment for iw generic netlink socket usage
2014-10-23 08:50:18 -04:00
5fb1249f37
Use create_netlink_socket_perms when allowing netlink socket creation
...
create_netlink_socket_perms is defined as:
{ create_socket_perms nlmsg_read nlmsg_write }
This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.
Clean up things without allowing anything new.
2014-10-23 08:07:44 -04:00
d6af57e5e7
Allow iw to create generic netlink sockets
...
iw uses generic netlink socket to configure WiFi properties. For
example, "strace iw dev wlan0 set power_save on" outputs:
socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0
Some AVC denials are reported in audit.log:
type=AVC msg=audit(1408829044.820:486): avc: denied { create } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:487): avc: denied { setopt } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:488): avc: denied { bind } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:489): avc: denied { getattr }
for pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:490): avc: denied { write } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
Allowing ifconfig_t to create generic netlink sockets fixes this.
(On a side note, the AVC denials were caused by TLP, a tool which
applies "laptop configuration" when switching between AC and battery
with the help of a udev script)
2014-10-23 08:07:44 -04:00
491683b3e2
Module version bump for init_daemon_pid_file from Sven Vermeulen.
2014-06-30 14:34:51 -04:00
4a94489be7
Use init_daemon_pid_file instead of init_daemon_run_dir
...
Update non-contrib modules to use init_daemon_pid_file instead of
init_daemon_run_dir.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-06-26 08:34:27 -04:00
84f2b380cf
Module version bump for ifconfig fc entry from Sven Vermeulen.
2014-05-27 09:08:12 -04:00
10ff4d0fa3
Bump module versions for release.
2014-03-11 08:16:57 -04:00
3208ff94c4
Module version bump for second lot of patches from Dominick Grift.
2013-12-03 13:03:35 -05:00
521bbf8586
These { read write } tty_device_t chr files on boot up in Debian
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 10:39:21 -05:00
1a01976fc4
Module version bump for first batch of patches from Dominick Grift.
2013-12-02 14:22:29 -05:00
012f1b2311
sysbnetwork: dhclient searches /var/lib/ntp
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:32 -05:00
6c19504654
sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:32 -05:00
eb4512f6eb
Module version bump for dhcpc fixes from Dominick Grift.
2013-09-27 17:15:22 -04:00
f0e0066a7b
Reorder dhcpc additions.
2013-09-27 17:15:02 -04:00
b1599e01fe
sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not audit attempts by ifconfig to read, and write dhcpc udp sockets (looks like a leaked fd)
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 17:13:12 -04:00
cf905e8ef1
Module version bumps for dhcpc leaked fds to hostname.
2013-09-27 15:55:52 -04:00
f0ad29f609
Module version bump for debian ifstate changes from Dominick Grift.
2013-09-27 14:42:47 -04:00
ac5d072465
sysnetwork: Debian stores network interface configuration in /run/network (ifstate), That directory is created by the /etc/init.d/networking script.
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 14:39:29 -04:00
55ac5a503d
Module version bump for ethtool reading pm-powersave.lock from Dominick Grift.
2013-09-26 09:14:07 -04:00
7c6ba1570e
sysnetwork: ethtool reads /run/pm-utils/locks/pm-powersave.lock
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-26 08:57:19 -04:00
d174521a64
Bump module versions for release.
2013-04-24 16:14:52 -04:00
be2e70be8d
Module version bump for fixes from Dominick Grift.
2013-01-03 10:53:34 -05:00
104456aa17
Module version bump for interfaces used by virt from Dominick Grift.
2012-10-30 14:17:25 -04:00
a2cc003740
Module version bump for minor logging and sysnet changes from Sven Vermeulen.
2012-10-30 13:39:46 -04:00
7ed91bfafd
Support flushing routing cache
...
To flush the routing cache, ifconfig_t (through the "ip" command) requires
sys_admin capability. If not:
~# ip route flush cache
Cannot flush routing cache
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-10-30 13:28:02 -04:00
e4f0112175
Module version bump for dhcp6 ports, from Russell Coker.
2012-10-19 08:39:02 -04:00
f9bee5a60b
Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for client control
...
Client control is used by the wide dhcp6 client, which can be controlled
via dhcp6ctl. This works by communicating over port 5546.
2012-10-19 08:19:28 -04:00
afdb509245
Module version bump for changes from Dominick Grift and Sven Vermeulen.
2012-10-09 11:01:42 -04:00
4ea2bc7eba
Changes to the sysnetwork policy module
...
dhcpc is a dbus_system_domain()
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-09 10:18:36 -04:00
0a6013cd4f
Module version bump for /run/dhcpc directory creation by dhcp from Sven Vermeulen.
2012-08-21 15:25:13 -04:00
452942ca99
DHCP client's hooks create /run/dhcpc directory
...
This directory contains the working files for updating network-related files
(like resolv.conf for name servers) before they are copied to the fixed
location. Although already in use previously, this location (/var/run/dhcpc or
/var/run/dhcpcd) was statically defined on the system.
With the introduction of /run and systems having /var/run -> /run, this is now a
dynamically created directory by dhcpc_t. Hence, the policy is enhanced allowing
dhcpc_t to create dhcpc_var_run_t directories, and include a file transition for
directories created in the var_run_t location(s).
Changes since v1
----------------
- Use create_dirs_pattern instead of manage_dirs_pattern
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-08-21 15:07:47 -04:00
3516535aa6
Bump module versions for release.
2012-07-25 14:33:06 -04:00
4f24b1841c
Add optional name for kernel and system filetrans interfaces.
2012-05-10 09:53:45 -04:00
9e56720a39
Module version bump and changelog for various dontaudits from Sven Vermenulen.
2012-04-20 16:06:54 -04:00
f65edd8280
Bump module versions for release.
2012-02-15 14:32:45 -05:00
3cbb3701cd
Module version bumps for debian fc patch from Russell Coker.
2011-11-16 15:31:48 -05:00
7d6b1e5889
Module version bump and changelog for role attributes usage.
2011-09-21 09:16:34 -04:00
f9145eae44
Add role attributes to dhcpc.
2011-09-21 08:27:37 -04:00
66e03ec8b2
Module version bump for LDAPS patch. Move a line.
2011-08-24 09:38:58 -04:00
12904f9fe8
Module version bump for dhcp client patch from Sven Vermeulen.
2011-08-24 09:15:33 -04:00
4976982e85
Allow dhcp client to update kernel routing table plus context updates
...
This small patch updates the dhcpc_t (DHCP client domain) to allow updating the
kernel's routing tables (as that is a primary purpose of a DHCP client) as well
as interact with the kernel through the net_sysctls.
Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context
definition as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:13:33 -04:00
aa4dad379b
Module version bump for release.
2011-07-26 08:11:01 -04:00
86460648a6
Sysnetwork patch from Miroslav Grepl.
...
* adds support for "ip xfrm" command which allows assign a context
2011-03-21 09:48:05 -04:00
8103e7c1f4
Module version bump for sysnetwork interface from Guido Trentalancia.
2011-02-28 09:35:02 -05:00
bca0cdb86e
Remove duplicate/redundant rules, from Russell Coker.
2010-07-07 08:41:20 -04:00
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
29af4c13e7
Bump module versions for release.
2010-05-24 15:32:01 -04:00
1fa92b8a55
Sysnetwork patch from Dan Walsh.
2010-03-18 15:40:04 -04:00
aadcb968f9
Move netlink route sockets from nsswitch to DNS name resolve.
2010-02-17 20:28:59 -05:00
c3c753f786
Remove concept of user from terminal module interfaces dealing with ptynode and ttynode since these attributes are not specific to users.
2010-02-11 14:20:10 -05:00
7d2f96783c
Module version number bump for 1031ee6.
2010-02-08 13:37:42 -05:00
9570b28801
module version number bump for release 2.20090730 that was mistakenly omitted.
2009-08-05 10:59:21 -04:00
d69616c625
fix ordering in sysnetwork.
2009-08-05 10:23:50 -04:00
3f67f722bb
trunk: whitespace fixes
2009-06-26 14:40:13 +00:00
26410ddf54
trunk: remove unnecessary semicolons after interface/template calls.
2009-06-19 13:52:33 +00:00
c1262146e0
trunk: Remove node definitions and change node usage to generic nodes.
2009-01-09 19:48:02 +00:00
668b3093ff
trunk: change network interface access from all to generic network interfaces.
2009-01-06 20:24:10 +00:00
17ec8c1f84
trunk: bump module versions for release.
2008-12-10 19:38:10 +00:00
296273a719
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
2cca6b79b4
trunk: remove redundant shared lib calls.
2008-10-17 17:31:04 +00:00
2a98379a24
trunk: additional whitespace fixes.
2008-10-17 15:52:39 +00:00
0b36a2146e
trunk: Enable open permission checks policy capability.
2008-10-16 16:09:20 +00:00
5d4f4b5375
trunk: bump version numbers for release.
2008-10-14 15:46:36 +00:00
e0ed765c0e
trunk: 3 patches from the fedora policy, cherry picked by David Hardeman.
2008-08-11 14:03:36 +00:00
cfcf5004e5
trunk: bump versions for release.
2008-07-02 14:07:57 +00:00
e9c6cda7da
trunk: Move user roles into individual modules.
2008-04-29 13:58:34 +00:00
0a14f3ae09
trunk: bump module version numbers for release.
2008-04-02 16:04:43 +00:00
e828954c63
trunk: 4 patches from dan.
2008-03-27 15:20:16 +00:00
2ed4f5aedf
trunk: small fixes for gentoo system.
2008-03-20 14:55:17 +00:00
12cf805e1c
trunk: add basic ubuntu support
2008-02-05 18:24:43 +00:00
f7925f25f7
trunk: bump module versions for release.
2007-12-14 14:23:18 +00:00
02d968c581
trunk: several fc updates from dan.
2007-12-12 15:55:21 +00:00
bd973e3e68
trunk: remove unused types from dbus.
2007-10-26 18:04:38 +00:00
12e9ea1ae3
trunk: module version bumps for previous commit.
2007-10-02 17:15:07 +00:00
350b6ab767
trunk: merge strict and targeted policies. merge shlib_t into lib_t.
2007-10-02 16:04:50 +00:00
116c1da330
trunk: update module version numbers for release.
2007-06-29 14:48:13 +00:00
Chris PeBenito
cgzones
Chris PeBenito
Stephen Smalley
Steve Lawrence
Nicolas Iooss
Sven Vermeulen
Dominick Grift
Russell Coker
Chris PeBenito